An ongoing trend observed by cybersecurity analysts and malware researchers reveals Telegram messaging service is being abused by malware authors that target e-commerce websites.
The findings revealed by the web security company Astra highlights that malware actors plant scripts on compromised websites that transmit error logs and other sensitive data over encrypted Telegram channels.
“The error logs or sensitive information that are being sent to the hacker via Telegram is to check whether their malware is planted successfully on a website or not, and in another case, if the malware is planted successfully then they’re sending the sensitive information of the victims to a specific telegram number or channel,” said Kanishk Tagade of Astra in a blog post.
“Magento, Prestashop and WooCommerce stores remain the top target of this hacking campaign,” he continued.
The use of an encrypted service allows attackers to not only evade detection of malicious traffic, but also prevent from being blacklisted as they use Telegram’s infrastructure which would naturally be trusted by many security products.
Astra’s engineers stated, “The hacker sends a request with
$_POST[‘name’] = evil.php and $_POST[‘content’] =
“The backdoor script then creates a file called evil.php on the server with the file contents found in
example.com/moreMaliciousCode.txt. The hacker then visits
compromised-site.com/evil.php to execute the bad code.”
According to the engineers, the hacker group is called “B4JAT4X” based on the clues left in the malicious source code.
These findings follow a recent discovery by Malwarebytes where the company had found web skimmers stealing credit card information from infected websites and transmitting it over Telegram to the attackers.
With the rise in popularity of end-to-end encryption messaging platforms, attacks like these are only expected to grow and evolve with newer tactics.
“Security experts have long been recommending regular malware scanning as a key security measure for the safety of websites,” says Tagade.
“It is time you primed your websites with due security measures to keep it protected at all times,” he concluded.